R. Wang,X. Song,M. Gu

DOI: https://doi.org/10.1049/iet-sen:20070009

2007-01-01

IET Software

Abstract:Validation is an important task in complex embedded system designs. A method of modelling and analysing embedded systems with programmable logic controllers is presented. Controllers and physical plants are modelled using timed automata. The system requirements are specified and formalised as computational tree logic properties. It is demonstrated that the designed model satisfies the required properties by resorting to a symbolic model checker, Uppaal, for real-time systems. A realistic example, the steeve controller of a theatre, illustrates the strategies. The safety and time constraint requirements are validated by Uppaal. The experimental results demonstrate the effectiveness of the approach presented here.

zhibin yang,kai hu,yongwang zhao,dianfu ma,jeanpaul bodeveix

DOI: https://doi.org/10.13328/j.cnki.jos.004776

2015-01-01

Abstract:This paper presents a formal verification method for AADL (architecture analysis and design language) models by TASM (timed abstract state machine) translation. The abstract syntax of the chosen subset of AADL and of TASM are given. The translation rules are defined clearly by the semantic functions expressed in a ML-like language. Furthermore, the translation is implemented in the model transformation tool AADL2TASM, which provides model checking and simulation for AADL models. Finally, a case study of space GNC (guidance, navigation and control) system is provided.

Eun-Young Kang,Li Huang

DOI: https://doi.org/10.48550/arXiv.1806.07702

2018-06-20

Software Engineering

Abstract:Modeling and analysis of timing constraints is crucial in automotive systems. EAST-ADL is a domain specific architectural language dedicated to safety-critical automotive embedded system design. In most cases, a bounded number of violations of timing constraints in systems would not lead to system failures when the results of the violations are negligible, called Weakly-Hard (WH). We have previously specified EAST-ADL timing constraints in Clock Constraint Specification Language (CCSL) and transformed timed behaviors in CCSL into formal models amenable to model checking. Previous work is extended in this paper by including support for probabilistic analysis of timing constraints in the context of WH: Probabilistic extension of CCSL, called PrCCSL, is defined and the EAST-ADL timing constraints with stochastic properties are specified in PrCCSL. The semantics of the extended constraints in PrCCSL is translated into Proof Objective Models that can be verified using SIMULINK DESIGN VERIFIER. Furthermore, a set of mapping rules is proposed to facilitate guarantee of translation. Our approach is demonstrated on an autonomous traffic sign recognition vehicle case study.

Apipath Kamput,Chanon Dechsupa,Wiwat Vatanawood,Suttinan Pomsiri

DOI: https://doi.org/10.1109/access.2024.3455097

IF: 3.9

2024-09-14

IEEE Access

Abstract:Modeling and verification are crucial in designing traffic light control systems, guaranteeing these systems meet desired operational properties and handle dynamic traffic conditions effectively. The design process involves addressing complexities such as route intricacy, congestion, timing, and prioritization, especially important in areas with multiple interconnected intersections. A key aspect of this process is developing a scalable model, essential for adapting to various traffic scenarios and intersection configurations. This paper presents a method using UPPAAL, a timed-automata tool, for modeling and verifying smart traffic light systems. We focus on creating scalable models, facilitating effective synchronization across intersections. Our approach includes templates and frameworks to assist in formalizing traffic light designs, emphasizing verification of safety, structural integrity, and performance. The results of our study reveal a significant usability in verification approaches through the use of formal model templates. Additionally, the model's phases and stages, complete with adaptable time schedules, show flexibility in environments with variable parameters.

computer science, information systems,telecommunications,engineering, electrical & electronic

Weigang Ma,Xinhong Hei

DOI: https://doi.org/10.1109/ICCASM.2010.5620084

2010-01-01

Abstract:A modeling and verification methodology is presented for railway interlocking system which is regarded as a safety-critical system. The methodology utilizes UML (Unified Modeling Language) to model the function requirement and FSM (Finite State Machine) to verify the safety requirements of the specification. The device specifications of railway interlocking system are modeled with UML, and dynamic behaviors of the device and whole system are modeled with FSM, the safety specification is translated LTL (Linear Temporal Logic) and analyzed with NuSMV. We try to show the feasibility of improving the reliability and reducing revalidation efforts when designing and developing a decentralized railway signaling system.

Qingdi Meng,Lianyi Zhang,Guiming Luo

DOI: https://doi.org/10.1109/ICCI-CC.2014.6921483

2014-01-01

Abstract:The synthetic system composite of cyber system and physical environment is hard to be modelled. It results that the formal verification for the interacted embedded software is very complicated. Integrated three kinds of timed automata, a systematic modelling approach is proposed in this paper for the embedded system with physical environment and artificial intermediary. All cyber-physical system components including embedded program, environment and their interface are formalized into timed automata. The behavior of real-time system is modeled as formal notation effectively. Based on visual modelling and auto verification tool the system simulation and specification verification have been achieved. A case study of path traversing for automated guided vehicle is given to illustrate our approach.

Vivek Vishal,Sagar Gugwad,Sanjay Singh

DOI: https://doi.org/10.5120/8402-2321

2012-08-17

Abstract:This paper addresses the issue of modeling and verification of a Multi Agent System (MAS) scenario. We have considered an agent based adaptive traffic signal system. The system monitors the smooth flow of traffic at intersection of two road segment. After describing how the adaptive traffic signal system can efficiently be used and showing its advantages over traffic signals with predetermined periods, we have shown how we can transform this scenario into Finite State Machine (FSM). Once the system is transformed into a FSM, we have verified the specifications specified in Computational Tree Logic(CTL) using NuSMV as a model checking tool. Simulation results obtained from NuSMV showed us whether the system satisfied the specifications or not. It has also showed us the state where the system specification does not hold. Using which we traced back our system to find the source, leading to the specification violation. Finally, we again verified the modified system with NuSMV for its specifications.

Software Engineering,Logic in Computer Science

Zhaorong Xiong,Jinian Bian,Yanni Zhao

DOI: https://doi.org/10.1109/ICCCAS.2010.5581859

2010-01-01

Abstract:SystemC TLM library is the de facto standard for the transaction level modeling of the System-on-Chip designs. In this paper, we will propose an on-line assertion-based verification method which can be used in the transaction modeling of SystemC. The advantage of this method is that simple properties can be extracted from the transactions with complex structures. Assertions are built from these properties using Property Specification Language and evaluated during the simulation. The experiment results show that our method enrich the TLM library with ABV ability while incurring unnoticeable performance overhead to the simulation.

Weigang Ma,Xinhong Hei

DOI: https://doi.org/10.2991/iccasm.2012.212

2012-01-01

Abstract:A verification methodology is presented for railway interlocking system which is regarded as a safety-critical system.The methodology utilizes UML to model the function requirement and LTL to verify the safety requirements of the specification.The device specifications of railway interlocking system are modeled with UML, then translate into FSM.The safety specification is translated LTL and analyzed with NuSMV.We try to show the feasibility of improving the reliability and reducing revalidation efforts when designing and developing a decentralized railway signaling system.

Bo Chen,Xi Li,Xuehai Zhou

DOI: https://doi.org/10.1016/j.sysarc.2018.06.002

IF: 5.836

2018-01-01

Journal of Systems Architecture

Abstract:Modelling and Analysis of Real-time and Embedded systems (MARTE) as a domain-specific language is widely used for designing, analysing, and the building of cyber physical systems (CPS). It also provides CCSL as a purely declarative language for expressing logical and chronometric constraints on clocks. Although MARTE/CCSL is powerful expressively, it lacks formal semantics-based language support for describing and analysing. Semantic support, such as timed Input/Output automata not only provides modelling and analysis of timing behaviors, it also provides modelling of the Input/Output behaviors in a direct sense compared to timed automata. The Input/Output behavior can verify the casual relationship between components, one of the most important behaviors is the fairness between components. Thus, to improve the capacity of modeling and verification of the MARTE/CCSL behavior model, we present a method to use MARTE/CCSL as a high level specification language for modelling, then mapping MARTE/CCSL behavior model to timed Input/Output automata, then using an integrated tool (UPPAAL-TIGA) to verify the safety, liveness, and fairness thereof. Finally, we demonstrate the proposed transformation method using a Telerobot control system of real-time systems.

Jonas Fritzsch,Tobias Schmid,Stefan Wagner

DOI: https://doi.org/10.1109/ICST49551.2021.00049

2020-11-20

Abstract:In the age of autonomously driving vehicles, functionality and complexity of embedded systems are increasing tremendously. Safety aspects become more important and require such systems to operate with the highest possible level of fault tolerance. Simulation and systematic testing techniques have reached their limits in this regard. Here, formal verification as a long established technique can be an appropriate complement. However, the necessary preparatory work like adequately modeling a system and specifying properties in temporal logic are anything but trivial. In this paper, we report on our experiences applying model checking to verify the arbitration logic of a Vehicle Control System. We balance pros and cons of different model checking techniques and tools, and reason about our choice of the symbolic model checker NuSMV. We describe the process of modeling the architecture, resulting in ~1500 LOC, 69 state variables and 38 LTL constraints. To handle this large-scale model, we automate and optimize the model checking procedure for use on multi-core CPUs and employ Bounded Model Checking to avoid the state explosion problem. We share our lessons learned and provide valuable insights for architects, developers, and test engineers involved in this highly present topic.

Software Engineering,Hardware Architecture,Systems and Control

Huafeng Zhang,Yu Jiang,Han Liu,Hehua Zhang,Ming Gu,Jiaguang Sung

DOI: https://doi.org/10.1145/2970276.2970280

2016-01-01

Abstract:Synchronous embedded systems are becoming more and more complicated and are usually implemented with integrated hardware/software solutions. This implementation manner brings new challenges to the traditional model-driven design environments such as SCADE and STATEMATE, that supports pure hardware or software design.In this paper, we propose a co-design tool Tsmart-Edola to facilitate the system developers, and automatically generate the executable VHDL code and C code from the formal verified SyncBlock computation model. SyncBlock is a lightweight high-level system specification model with well defined syntax, simulation and formal semantics. Based on which, the graphical model editor, graphical simulator, verification translator, and code generator are implemented and seamlessly integrated into the Tsmart-Edola. For evaluation, we apply Tsmart-Edola to the design of a real-world train controller based on the international standard IEC 61375. Several critical ambiguousness or bugs in the standard are detected during formal verification of the constructed system model. Furthermore, the generated VHDL code and C code of Tsmart-Edola outperform that of the state-of-the-art tools in terms of synthesized gate array resource consumption and binary code size.

Wei Yu,Guanghui He,Ningyi Xu,Zucheng Zhou

DOI: https://doi.org/10.1109/ICCCAS.2006.285195

2006-01-01

Abstract:As implementation technology has evolved into increasingly complex integrated circuits and time-to-market pressure increases day by day, system level design issues become more critical in the context of system on Chip, which gives rise to the need for abstract executable specifications (models) covering both hardware and embedded software. The new capabilities of SystemC 2.0, such as those added for transaction-based communication and test-bench specification and monitoring, facilitate this SoC modeling. In this paper, we present a transaction level modeling and verification method of IEEE 802.15.3 MAC chip based on SystemC 2.0, which include an accuracy video model and a transaction level system model of IEEE 802.15.3 MAC protocol. With the proposed scheme, we can get a reusable test bench which can be used at both transaction level and register transfer level. In this case, the verification efficiency and accuracy will be greatly improved. Specially, the transaction level model can significantly reduce product development risk while avoiding expensive over-engineering by ensuring the architecture meets all performance, power and cost requirements prior to implementation, allowing design resources to focus on value-added functions. © 2006 IEEE.

Xiong Xu,Shuling Wang,Bohua Zhan,Xiangyu Jin,Naijun Zhan,Jean-Pierre Talpin

DOI: https://doi.org/10.1145/3631483.3631487

2023-10-30

ACM SIGAda Ada Letters

Abstract:The design of safety-critical cyber-physical systems (CPSs) involve several dimensions, including physics, hardware rchitecture and software functionality. It is desirable to design CPSs by taking these issues into account uniformly and yet, few existing design workflows support this aim. For instance, AADL is an architecturecentric modelling formalism for CPSs, which focuses on modelling architecture and prototyping real-time hardware platforms, but it delegates physical and software behavioral models to so-called annexes. By contrast, Simulink/Stateflow (S/S) focuses on modelling interacting physical and software behaviors, but does not render the non-functional characteristics of their hardware platforms. To address this issue, in [1], we proposed the combination of AADL and S/S, called AADL S/S, to comodel CPSs and presented a method to uniformly analyse and verify them. AADL S/S provides a unified graphical co-modelling environment for CPS design and supports simulation through C code generation. Also, [1] presented a formal semantics of AADL S/S by translation to Hybrid Communicating Sequential Processes (HCSP), yielding a deductive verification framework of the combined models using Hybrid Hoare Logic (HHL). Additionally, [1] proved the correctness of the translation of AADL S/S to HCSP.

Yanyan Gao,Xi Li

DOI: https://doi.org/10.1109/samos.2013.6621107

2013-01-01

Abstract:SystemC has become a de-facto standard language for SoC and ASIP designs. The verification of implementation with SystemC is the key to guarantee the correctness of designs and prevent the errors from propagating to the lower levels. The gap between SystemC TLM model and its corresponding formal model makes it hard to perform automated translation between them. SystemC describes process behavior in sequential statements and usually employs intermediate variables, while most model checking languages for hardware only describe parallel behaviors, in which the usage of intermediate variables not only increases state space and may prolong execution time, but also introduce potential errors. For a model checking language which supports parallel description, the elimination of redundant intermediate variables is requisite and also an efficient way to reduce the state space. This paper intends to solve these issues: (1) proposing an extraction method that can implement the translation from a description which supports sequential execution to a description supports parallel execution; (2) identifying and removing redundant intermediate variables. In this paper, a novel mechanism is presented to automatically extract behavior description from SystemC to a widespreadly used model checking language SMV. We have implemented a tool SC2SMV and performed actual extraction process on it to demonstrate the effectiveness of the method presented in this paper.

Xiaohong Chen,Zhiwei Zhong,Zhi Jin,Min Zhang,Tong Li,Xiang Chen,Tingliang Zhou

DOI: https://doi.org/10.1109/re.2019.00040

2019-01-01

Abstract:Consistency verification of safety requirements is an important but still challenging task for safety-critical systems such as rail transit systems. That is mainly because requirements are typically written in natural language and with strong time constraints. Driven by the practical need from industry, in this paper we propose a systematic approach to specify safety requirements in a quasi-natural language and automatically verify their consistency using formal methods. Specifically, we define a domain specific language SafeNL to specify safety requirements, and then automatically transform them into formal constraints defined in the Clock Constraint Specification Language (CCSL). The transformed constraints can be automatically and efficiently verified by model checking. We conduct two practical case studies to analyze the safety requirements of an interlocking system in CASCO Signal Ltd. Results of the studies show the validity and utility of our approach can pragmatically contribute to industrial practice. We also report some lessons learned from case studies.

ZHANG Yu-ang,LI Li,YANG Sheng-guang,XU Yi,ZHANG Bing

DOI: https://doi.org/10.3969/j.issn.1000-7180.2007.12.054

2007-01-01

Abstract:Transaction level modeling can speed up the building of system model and reduce the simulation time by modeling in a higher level.Based on SystemC,we model the AHB protocol in TLM and refine its communication channel subsequently.Combining the BCA level partly,the simulation result shows that the TLM model contains more information of cycle/protocol,meanwhile,preserves the superiority in speed.The method of modeling is useful for early validation and exploration of the system.Furthermore,we perform the communication refinement:turn the abstract channel to the module entities and ports,which is quite important for the final RTL implementation.

Yu Jiang,Yixiao Yang,Han Liu,Hui Kong,Ming Gu,Jiaguang Sun,Lui Sha

DOI: https://doi.org/10.1109/rtas.2016.7461337

2016-01-01

Abstract:Simulink is widely used for model driven development (MDD) of industrial software systems. Typically, the Simulink based development is initiated from Stateflow modeling, followed by simulation, validation and code generation mapped to physical execution platforms. However, recent industrial trends have raised the demands of rigorous verification on safety-critical applications, which is unfortunately challenging for Simulink. In this paper, we present an approach to bridge the Stateflow based model driven development and a well- defined rigorous verification. First, we develop a self- contained toolkit to translate Stateflow model into timed automata, where major advanced modeling features in Stateflow are supported. Taking advantage of the strong verification capability of Uppaal, we can not only find bugs in Stateflow models which are missed by Simulink Design Verifier, but also check more important temporal properties. Next, we customize a runtime verifier for the generated nonintrusive VHDL and C code of Stateflow model for monitoring. The major strength of the customization is the flexibility to collect and analyze runtime properties with a pure software monitor, which opens more opportunities for engineers to achieve high reliability of the target system compared with the traditional act that only relies on Simulink Polyspace. We incorporate these two parts into original Stateflow based MDD seamlessly. In this way, safety-critical properties are both verified at the model level, and at the consistent system implementation level with physical execution environment in consideration. We apply our approach on a train controller design, and the verified implementation is tested and deployed on a real hardware platform.

Anping He,William N. N. Hung,Guowu Yang,Jinzhao Wu,Lian Li

DOI: https://doi.org/10.1016/j.camwa.2011.02.004

2011-01-01

Abstract:The modern stage suspended boom system is automatically controlled by PLC (programmable logic controller), and represents a typical hybrid behavior. It is an important family of stage control machinery systems. This paper presents a formal approach to modeling the system behaviors of different scenes. The system is formally characterized and specified in a timed model. System properties are proved in the proof system of the extended duration calculus. The case study illustrates the feasibility of the proposed verification framework.

Carlos Ivan Castro Marquez,M. Strum,J. Wang

DOI: https://doi.org/10.1109/IDT.2013.6727074

2013-12-01

Abstract:Formal techniques allow exhaustive verification on circuit design (at least in theory), but due to actual computational limitations, workarounds must always be adopted to check only a portion of the design at a time. Sequential equivalence checking is an effective approach, but it can only be applied between circuit descriptions where a one-to-one correspondence for states, as well as for memory elements, is expected. This paper presents a formal methodology to verify RTL descriptions through direct comparison with high-level reference models. By doing so, there is no need to specify or analyze formal properties, as the complete behavior is already contained in the reference model. We also consider the natural discrepancies between system level and RTL code, including non-matching interface and memory elements, and state mapping. In this manner, we are able to prove the functional coherence for the overall sequential behavior of the design under verification.

Engineering,Computer Science